How can we help?

Auvik can log into my FortiGate firewall, but won't back up its configuration

Follow

If connectivity between the collector and a firewall goes through a VPN, you may experience issues getting the configuration backed up even though Auvik shows a green checkmark for SNMP and Login.

Auvik backs up the configuration on FortiGates by entering a command for the device to use FTP (file transfer protocol) to send the config file to the collector. When the firewall sends FTP traffic over a site-to-site VPN, it uses the egress interface IP address as the source IP in the packets. Most site-to-site tunnel interfaces don’t have an IP address assigned to them, so the FTP packet is sent out with a source IP of 0.0.0.0. Since site-to-site VPNs have access lists limiting source and destination subnets allowed through them, packets received over a tunnel with a source of 0.0.0.0 are denied.

In order to fix this issue, you need to assign an IP address to the tunnel interface that falls within the allowed IP ranges for the VPN.

screenshot_fortigate_-_highlights.png

Note: In the case where you have only one subnet going through the VPN and the firewall's LAN interface belongs to it, the firewall may return an error if you try to assign to the tunnel an IP from that same subnet. If that happens, you'll need to assign to the tunnel interface an IP address from a different subnet. That can be a /32 address allocated just for that purpose. Make sure you adjust your routing and tunnel policies to allow traffic to and from that new address.

If that doesn’t resolve your issue, or if your FortiGate doesn’t need to traverse a VPN to reach the collector, contact Auvik Support.

Was this article helpful?
3 out of 4 found this helpful
Have more questions? Submit a request